Electronic Books

-sP Ping scanning Sometimes you only want to know
which hosts on a network are up. nmap can do this by
sending ICMP echo request packets to every IP address
on the networks you specify. Hosts that respond are
up. Unfortunately, some sites such as microsoft.com
block echo request packets. Thus nmap can also send
a TCP ACK packet to (by default) port 80. If we get an
RST back, that machine is up. A third technique
involves sending a SYN packet and waiting for an RST
or a SYN/ACK. For nonroot users, a connect () method
is used. By default (for root users), nmap uses both the
ICMP and ACK techniques in parallel. You can change
the -P option described later. Note that pinging is done
by default anyway, and only hosts that respond are
scanned. Only use this option if you wish to ping sweep
without doing any actual port scans.
684
Practical Hacking Techniques and Countermeasures
Chapter Tool Syntax
Chapter 3
(continued)
Ping -sU UDP scans This method is used to determine which
UDP (User Datagram Protocol, RFC 768) ports are open
on a host. The technique is to send 0 byte UDP packets
to each port on the target machine. If we receive an
ICMP port unreachable message, then the port is
closed. Otherwise we assume it is open. Some people
think UDP scanning is pointless. I usually remind them
of the recent Solaris rcpbind hole. Rpcbind can be
found hiding on an undocumented UDP port
somewhere above 32770. So it does not matter that 111
is blocked by the firewall.


Pages:
218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242